SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 278

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 279

changes.mady.by.user Unknown User (lflynn)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The C Standard, 6.5.7, paragraph 4 [ISO/IEC 9899:2011], states

...

In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a logic error. These issues are covered by INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.

Noncompliant Code Example

This noncompliant code example performs a left shift, after verifying that the number being shifted is not negative, and the number of bits to shift is valid.  The PRECISION() macro and popcount() function provide the correct precision for any integer type. (See INT35-C. Use correct integer precisions.) However, because this code does no overflow check, it can result in an unrepresentable value. 

...

Compliant Solution

This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

SEI Coding StandardARR30-CCON08-CCWE-129, Improper Validation of Array Index

Taxonomy

Taxonomy item

Relationship

CERT CINT02-C. Understand integer conversion rulesPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CINT35-C. Use correct integer precisionsPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CINT33-C. Ensure that division and remainder operations do not result in divide-by-zero errorsPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CINT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operandPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CARR30-C. Do not form or use out-of-bounds pointers or array subscriptsPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CARR36-C. Do not subtract or compare two pointers that do not refer to the same arrayPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CARR37-C. Do not add or subtract an integer to a pointer to a non-array objectPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CMSC15-C. Do not depend on undefined behaviorPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CCON08-C. Do not assume that a group of calls to independently atomic methods is atomicPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Oracle Secure Coding Standard for JavaINT00-J. Perform explicit range checking to avoid integer overflowPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Arithmetic Wrap-Around Error [FIF]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Overflowing signed integers [intoflow]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11MITRE CWECWE-190, Integer Overflow or Wraparound2017-05-18: CERT: Partial overlap
CWE 2.11CWE-1912017-05-18: CERT: Partial overlap
CWE 2.11CWE-6802017-05-18: CERT: Partial overlap

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-20 and INT32-C

See CWE-20 and ERR34-C

CWE-680 and INT32-C

Intersection( INT32-C, MEM35-C) = Ø

Intersection( CWE-680, INT32-C) =

  • Signed integer overflows that lead to buffer overflows

CWE-680 - INT32-C =

  • Unsigned integer overflows that lead to buffer overflows

INT32-C – CWE-680 =

  • Signed integer overflows that do not lead to buffer overflows

CWE-191 and INT32-C

Union( CWE-190, CWE-191) = Union( INT30-C, INT32-C) Intersection( INT30-C, INT32-C) == Ø

Intersection(CWE-191, INT32-C) =

  • Underflow of signed integer operation

CWE-191 – INT32-C =

  • Underflow of unsigned integer operation

INT32-C – CWE-191 =

  • Overflow of signed integer operation

CWE-190 and INT32-C

Union( CWE-190, CWE-191) = Union( INT30-C, INT32-C) Intersection( INT30-C, INT32-C) == Ø

Intersection(CWE-190, INT32-C) =

  • Overflow (wraparound) of signed integer operation

CWE-190 – INT32-C =

  • Overflow of unsigned integer operation

INT32-C – CWE-190 =

  • Underflow of signed integer operation

Bibliography

[Dowd 2006]Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223)
[ISO/IEC 9899:2011]Subclause 6.5.5, "Multiplicative Operators"
[Seacord 2013b]Chapter 5, "Integer Security"
[Viega 2005]Section 5.2.7, "Integer Overflow"
[Warren 2002]Chapter 2, "Basics"

...